Hybrid Attention-Based Deep Learning for Threat Traffic Recognition in IoT Networks Using the ToN_IoT Dataset

Abstract

Internet of Things networks generate high-volume, temporally structured traffic whose attack signatures span both within-flow feature patterns and cross-flow temporal dynamics. Single-paradigm classifiers cannot fully exploit this dual structure. This paper proposes HACIDS (Hybrid Attention-based CNN Intrusion Detection System), combining two-stage convolutional feature extraction, Bidirectional LSTM temporal modelling, and Multi-Head Self-Attention (MHA) for eleven-class IoT threat detection on the ToN_IoT dataset. HACIDS achieves 94.78% accuracy and macro F1 of 0.924, modest but consistent improvements over all evaluated baselines, with the most meaningful gains on rare attack categories. Results are from a single held-out split; standard deviation across repeated runs is not reported, which is acknowledged as a limitation. Performance may be partially optimistic due to sliding window overlap; traintest separation was performed before window construction. An ablation study confirms each component contributes incrementally; attention weight analysis provides indicative feature associations per attack class.